Chronic dev team releases greenpois0n jailbreak
The chronic dev team (@chronicdevteam) have released greenpois0n, their iOS jailbreak tool featuring an implementation of geohot’s bootrom exploit. Downloads are available for Mac OS X, Windows and Linux. It also only works on iOS 4.1.
This release of greenpois0n supports:
– iPhone 4
– iPhone 3G S
– iPod touch (4th Generation)
– iPod touch (3rd Generation)
– iPad
Soon there will be another release, adding things like support for:
– Apple TV (2nd Generation)
– iPod touch (2nd Generation)
[Updated 4/2/2011] greenpois0n updated to jailbreak iOS 4.2.1
limera1n brings unpatchable iOS Jailbreak
geohot has released limera1n, the latest iOS jailbreak. After the success of comex’s Jailbreakme.com, which was patched by iOS 4.0.2, limera1n brings a theoretically unpatchable exploit thanks to an extremely low-level vulnerability that affects all of Apple’s iOS-base devices. Both Mac OS X and Windows versions of limera1n are now available for download.
The jailbreak uses an exploitable vulnerability in the iOS boot-rom. This is the reason it’s theoretically unpatchable, as the boot-rom is something that would need to be physically flashed on the affected devices. By ‘unpatchable’ I mean that Apple will not be able to patch the vulnerability that makes the jailbreak possible, on existing iOS devices. If this is indeed the case, then this would mean that the current line of iOS devices are guaranteed to be jailbreakable even when applying new iOS updates. Apple would have to patch the bug in the boot-rom in new devices they release down the line.
In other news, the jailbreaking scene has had its feathers ruffled as the chronic dev team were originally going to release their greenpois0n jailbreak (using their SHAtter exploit). Rumor has it they shared their exploit with geohot, who went ahead and published his own tool before they could. Fun times.
[Update] Although the boot-rom exploit might not be patchable, limera1n uses a userland exploit to perform the untethered jailbreak. This means that Apple could potentially patch the untethered part of the jailbreak – although the boot-rom exploit would still exist. For more info read Update #1 at the bottom of this post.
Many people seem to be wondering what is meant by limera1n being ‘unpatchable’. Hopefully this posts answers that question somewhat. If you’re still unsure, feel free to post a question in the comments.
Safari 5.0.2 Update Fixes WebKit Bugs
Apple has released Safari 5.0.2 and 4.1.2 updates for Mac OS X and Windows which fix issues in both Safari and WebKit (the browser’s rendering engine).
The first issue, which only affects Safari on Windows systems, may lead to code execution if the user attempts to reveal the location of a downloaded file. The other two vulnerabilities include an input validation issue in WebKit’s handling of floating point data types, and a use-after-free issue in WebKit’s handling of elements with run-in styling. Both of these could be used to perform arbitrary code execution.
These two updates should be available in Software Update.
Hit the jump for Apple’s full patch info.
Apple QuickTime 7.6.7 “_Marshaled_pUnk” Code Execution Vulnerability and Metasploit Exploit
A new (read: yet another) 0day QuickTime vulnerability has been discovered by researcher Ruben Santamarta which leads to arbitrary client-side code execution. The vulnerability, which affects QuickTime <= 7.6.7 on Windows XP, Vista and 7 and defeats DEP and ASLR, is due to a flaw in the way the QuickTime ActiveX controller handles a supplied parameter and treats it as a trusted pointer.
This vulnerability can be exploited by luring the victim to a malicious web page. A heap-spraying Metasploit module has already been published which exploits this issue.
QuickTime Player SMIL Buffer Overflow and Metasploit Exploit
On the 26th July 2010, Krystian Kloskowski discovered a vulnerability in QuickTime Player 7.6.6 for Windows caused by a buffer overflow in the application’s error logging.
The original advisory states:
The vulnerability is caused due to a boundary error in QuickTimeStreaming.qtx when constructing a string to write to a debug log file. This can be exploited to cause a stack-based buffer overflow by e.g. tricking a user into viewing a specially crafted web page that references a SMIL file containing an overly long URL.
Successful exploitation of this vulnerability leads to the ability of executing arbitrary code on the victim’s computer.
A couple of days ago, Joshua Drake (aka. jduck) submitted a working exploit module to the Metasploit Framework.
As QuickTime is installed on many Windows systems these days (it’s included as part of iTunes), this vulnerability poses a real threat. As always users should beware of clicking on unknown links, but ultimately if someone wants to get you to visit a malicious page, they can.
In this case users should update QuickTime asap. Apple has released QuickTime 7.6.7 which fixes this issue.
[Update] Check out the video below for a demo of the Metasploit module in action:
Loading ...
